Run Wireguard on Crostini (Linux on ChromeOS)

Getting around the limitations of running Wireguard on Crostini Published 2025-03-22

The Problem

I would like to run Wireguard on my Chromebook. I have a few options:

  1. Use built-in VPN support in Chrome OS

Chrome OS does support Wireguard natively, but it is limited in what it can do. You can’t connect to multiple VPNs at the same time, and you can’t do split tunneling. I need these features.

  1. Download the Wireguard app from the Play Store

I’ve used this method before for a Tailscale connection, and it does work. However, Android apps feel a bit clunky on my low-end Chromebook, and I’m not sure if multiple connections and split tunneling are supported.

  1. Run Wireguard in Crostini

Crostini is a Linux environment that runs on Chrome OS. It’s a full Linux environment, so I can run Wireguard with all the features I need. Unfortunately, it’s not as simple as running sudo apt install wireguard. Apparantly the Wireguard kernel module is not available in Crostini, or something like that.

The Solution

We can run Wireguard in user space using the wireguard-go tool. This means we don’t need the kernel module at all. It supposedly has lower maximum throughput than the kernel implementation, but it’s good enough for my use case.

Here’s the plan:

  1. Install wireguard-tools and wireguard-go
  2. Create a Wireguard interface using wireguard-go
  3. Use wg to configure the Wireguard interface
  4. Set the IP address and bring up the interface
  5. Set up routing and test the connection

1. Install wireguard-tools and wireguard-go

We need the wg tool from wireguard-tools to configure the Wireguard connection, and wireguard-go to actually run the connection. The first part is easy:

sudo apt install wireguard-tools

As for the second part, we need to build wireguard-go from source. You need to have Golang installed - I recommend using mise to do this. Build wireguard-go like this:

git clone https://git.zx2c4.com/wireguard-go
cd wireguard-go
make

Now we have the wireguard-go binary. You can move it to a directory in your PATH, or just run it from the current directory.

2. Create a Wireguard interface using wireguard-go

sudo ./wireguard-go wg0 #or whatever you want to name the interface

Now there should be a new interface called wg0. You can check this with ip link show.

3. Use wg to configure the Wireguard interface

We need the Wireguard configuration file for this part. If you don’t have one, go read the Wireguard quick start guide. I recommend putting the configuration file in /etc/wireguard/.

You need to comment out the Address, PostUp and PostDown lines in the configuration file. We will set these manually later.

Now we can use the wg tool to configure the connection:

sudo wg setconf wg0 /etc/wireguard/wg0.conf # or wherever your configuration file is

If there are errors, it’s probably because of the configuration file. Make sure you commented out the lines I mentioned earlier.

4. Set the IP address and bring up the interface

Get the IP address from the Address line (which was commented out earlier from the config file), and assign it to the interface:

sudo ip addr add [IP] dev wg0

Bring up the interface:

sudo ip link set mtu 1420 up dev wg0 # The default MTU is 1420

5. Set up routing and test the connection

Each peer in the config should have an AllowedIPs line. Add a route for each (or for the whole subnet) like so:

sudo ip route add [ALLOWED_IP] dev wg0

All is done on the Chromebook’s side. You can test the connection with a simple ping:

ping [IP_OF_PEER]